> What countermeasures are appropriate?
on the F and C root name servers, we use freebsd "ipfw" to limit each
ingress flow to 100Kbits/sec. this seems to cause bad actors to slow
down, since they are in lockstep to our replies.
# limit inbound dns to 10Kbit/s UDP, 100Kbit/s TCP per source address (flow)
add pipe 1 udp from any to any 53 in
pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3
add pipe 2 tcp from any to any 53 in
pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3
# protect the host (normal firewall stuff)
you might consider something very similar in the dcc server code, since
not every dcc server will be running on freebsd or otherwise have this
kind of rate limiting built into its kernel.